[SECURITY] use taint/untaint before execution of custom sql
Reported by Gaspard Bucher | September 3rd, 2008 @ 12:44 PM | in 1.0
Using ruby's tain/untaint mechanism could ensure that we never get "dirty" strings in the SQL.
Everything is carefully quoted, "to_i" or protected using connection.quote(), so it should not be too hard to implement and make sure "to_i", connection.quote and other clearing methods "untaint".
Comments and changes to this ticket
-
Gaspard Bucher September 3rd, 2008 @ 02:54 PM
- Milestone set to “1.0”
-
Gaspard Bucher September 29th, 2008 @ 05:58 PM
- Tag changed from “critical, zena” to “zena”
It's not that critical. Do not use this tag unless it's getting really really hot.
-
Gaspard Bucher May 18th, 2010 @ 09:47 AM
- Tag changed from “zena” to “security, zena”
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Anyone knows how to use formatting here ?
Git repository: http://github.com/zena
Official website: http://zenadmin.org
Gaspard Bucher